"rpmbuild --rebuild" does not result in hardened build
Dan HorĂ¡k
dan at danny.cz
Tue Jun 18 20:08:48 UTC 2013
On Tue, 18 Jun 2013 21:41:37 +0200
Reindl Harald <h.reindl at thelounge.net> wrote:
>
>
> Am 18.06.2013 19:18, schrieb Panu Matilainen:
> > On 06/18/2013 04:21 PM, Reindl Harald wrote:
> >> can someone lokk at this?
> >> https://bugzilla.redhat.com/show_bug.cgi?id=975273
> >>
> >> why are the hardening-macros not respected with "rpmbuild"?
> >
> > Because of this (from
> > https://bugzilla.redhat.com/show_bug.cgi?id=975273#c3):
> >
> >> [builduser at buildserver64:~]$ cat .rpmrc
> > optflags: x86_64 -m64 -O3 -march=corei7 -mtune=corei7 -fopenmp
> > -mmmx -msse2 -msse3 -msse4.1 -msse4.2 -maes -pipe -fstack-protector
> > --param=ssp-buffer-size=4 -mfpmath=sse -D_FORTIFY_SOURCE=2
> > -fexceptions
> >
> > You're overriding the distro defaults and not including
> > %{__global_cflags} which a part of how the hardening flags (among
> > all sorts of other distro defaults) get set for builds
>
> because it ends in double options with different values
> "-O3 -O2" makes little sense and looks not predictable
the latter wins, it's specified by gcc docs
Dan
> IMHO the hardening-macro should ADD his params to whatever existing
> ones
>
> -m64 -O3 -march=corei7 -mtune=corei7 -fopenmp -mmmx -msse2 -msse3
> -msse4.1 -msse4.2 -maes -pipe -fstack-protector
> --param=ssp-buffer-size=4 -mfpmath=sse -D_FORTIFY_SOURCE=2
> -fexceptions -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4
>
>
More information about the devel
mailing list